From 0b883a90b647d2a95ecbfeeb712a64b6da49562c Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 2 Jul 2019 20:14:45 +0200
Subject: [PATCH] fix: null value in separate expression

---
 rules/windows/process_creation/win_susp_svchost.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml
index 02c1d946c..8b51338a7 100644
--- a/rules/windows/process_creation/win_susp_svchost.yml
+++ b/rules/windows/process_creation/win_susp_svchost.yml
@@ -18,8 +18,9 @@ detection:
             - '*\MsMpEng.exe'
             - '*\Mrt.exe'
             - '*\rpcnet.exe'
-            - null
-    condition: selection and not filter
+    filter_null:
+        ParentImage: null
+    condition: selection and not filter and not filter_null
 fields:
     - CommandLine
     - ParentCommandLine